ASA 5505 unable to Ping - Page 2

woodjl1650 · ‎09-09-2011

I just tried to configure my ASA but unable to ping. My setup is as follows:

Cable Modem (DHCP from IPS)---> ASA (192.168.1.1)--->Belking Router (192.168.5.1)--->Switch (192.168.5.14)--->

Can you please look through my config and tell me what I did wrong?

Thanks,

ASA Version 8.2(3)

!

hostname WoodHomeASA-1

domain-name lv.cox.net

enable password DQucN59Njn0OjpJL encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

banner login ** W A R N I N G **

banner login Unauthorized access prohibited. All access is

banner login monitored, and trespassers shall be prosecuted

banner login to the fullest extent of the law.

banner login ** W A R N I N G **

boot system disk0:/asa823-k8.bin

boot config disk0:/asa823.bin

ftp mode passive

dns server-group DefaultDNS

domain-name lv.cox.net

object-group icmp-type ICMP-INBOUND

description Permit necessary inbound ICMP traffic

icmp-object echo-reply

icmp-object unreachable

icmp-object time-exceeded

access-list INBOUND extended permit icmp any any object-group ICMP-INBOUND

access-list INBOUND extended permit tcp any any eq www

pager lines 24

logging console notifications

logging buffered warnings

logging asdm notifications

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

asdm image disk0:/asdm-633.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group INBOUND in interface outside

route inside 192.168.5.0 255.255.255.0 192.168.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:00:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 192.168.1.0 255.255.255.255 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd dns 8.8.8.8 8.8.4.4 interface inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption des-sha1

webvpn

enable outside

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map type inspect dns prsent_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:658d8baf4bb5df65563b0cc499a9f287

: end

Kureli Sankar · ‎09-09-2011

Pls. get the output of

sh ip

sh route

ping the GW on the outside and see if that responds.

-KS

woodjl1650 · ‎09-09-2011

System IP Addresses:

Interface Name IP address Subnet mask

Method

Vlan1 inside 192.168.1.99 255.255.255.0

CONFIG

Vlan2 outside unassigned unassigned

DHCP

Current IP Addresses:

Interface Name IP address Subnet mask

Method

Vlan1 inside 192.168.1.99 255.255.255.0

CONFIG

Vlan2 outside unassigned unassigned

DHCP

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is not set

C 192.168.1.0 255.255.255.0 is directly connected, inside

WoodHomeASA-1# ping 68.108.10.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 68.108.10.1, timeout is 2 seconds:

No route to host 68.108.10.1

Success rate is 0 percent (0/1)

Kureli Sankar · ‎09-09-2011

The outside hasn't even got an IP address yet. You can't go no where from this ASA.

Are you supposed to have static IP or dynamic DHCP address do you know? What device is the ASA's outside itnerface connected to?

Reach out to the ISP and ask them about IP address for your outside.

-KS

woodjl1650 · ‎09-09-2011

DHCP IP Address and the ASA is connected to the cable modem via ethernet port 0/0

woodjl1650 · ‎09-09-2011

I just realized I might have an issue now. I finally go internet to the ASA, but since I have Belkin router, I don't think the WAN port on it will work coming off the ASA since they are on the same network. It doesn't "pick up" the internet signal when I plug it into the switch port or the WAN port. Is there something I can do on the ASA, since there no not much I can configure with the Belkin Router? Am I stuck now?

Kureli Sankar · ‎09-09-2011

Jonathan,

So your topology is like this?

inside hosts--ASA--Belkin Router---Cable Modem---Internet?

Why isn't the Belkin providing an IP to the ASA?

Can you skip that and connect the ASA directly to the Cable modem?

inside hosts---ASA--Cable_Modem---Internet

-KS

woodjl1650 · ‎09-09-2011

Internet---> ASA (192.168.1.99)--->Belkin Router (192.168.1.1)---> Inside Hosts

But I can't seem to get the internet from the ASA to the Belkin Router.

woodjl1650 · ‎09-09-2011

Internet---> ASA (68.108.10.253 Port0/0 192.168.1.99 Port0/1)--->Belkin Router (192.168.1.1)---> Inside Hosts

But I can't seem to get the internet from the ASA to the Belkin Router.

cadet alain · ‎09-09-2011

Hi,

what is the default route on the belkin? it should have next-hop of ASA connected interface.

Regards.

Alain.

Don't forget to rate helpful posts.

Julio Carvajal · ‎09-09-2011

Hello Jonathan,

As I understand your topology this is the configuration you will need to have on the ASA:

Nat (inside) 1 0 0

Global (Outside) 1 0 0

route outside 0 0 68.108.10.1

Try this packet tracer to check the output:

packet-tracer input inside tcp 192.168.10.1.15 1025 4.2.2.2 80

Please provide us the output, can you ping the asa from the computers on the inside??

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Kureli Sankar · ‎09-10-2011

Johanthan,

You need to get an IP address assigned for the ASA's outside interface. When you do a "sh ip" on the ASA you should see this IP address 68.108.10.253 in the output.

Once that is one then add the nat/global lines that Julio provided about and you should be able to get to the internet from a host on the inside.

-KS

woodjl1650 · ‎09-10-2011

Alright, tried that, still nothing. I can't modify the router at all, so I don't know if that is the problem or not. But I did try what Julio suggested and nothing. I have internet access to the ASA, but not from the ASA to the router. I tried plugging in into the built in modem port and the switch port, nothing.

This is what I recieved when I tried to enter the Global line:

WoodHomeASA-1(config)# Global (outside) 1 0 0

^

ERROR: % Invalid input detected at '^' marker.

Here is the packet-trace info:

WoodHomeASA-1# packet-tracer input inside tcp 192.168.1.5 1025 4.2.2.2 80

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

match ip inside any outside any

dynamic translation to pool 1 (68.108.11.128 [Interface PAT])

translate_hits = 1, untranslate_hits = 0

Additional Information:

Dynamic translate 192.168.1.5/1025 to 68.108.11.128/25276 using netmask 255.255.

255.255

Phase: 5

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

match ip inside any inside any

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

Additional Information:

Phase: 6

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 12, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

WoodHomeASA-1# show ip

System IP Addresses:

Interface Name IP address Subnet mask

Method

Vlan1 inside 192.168.1.99 255.255.255.0

CONFIG

Vlan2 outside 68.108.11.128 255.255.255.0

DHCP

Current IP Addresses:

Interface Name IP address Subnet mask

Method

Vlan1 inside 192.168.1.99 255.255.255.0

CONFIG

Vlan2 outside 68.108.11.128 255.255.255.0

Kureli Sankar · ‎09-10-2011

Johanthan,

You need the following lines: Didn't notice the typo by Julio

Nat (inside) 1 0 0

Global (Outside) 1 interface

route outside 0 0 68.108.10.1 ---> is this the correct IP for the GW?

You already have the lines:

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

make sure to issue "sh route" and see the route outside pointing to 68.108.10.1.

Ping from the ASA "ping 68.108.10.1" and make sure it replies. Then ping from the ASA "ping 4.2.2.2" and make sure you get a reply.

You can also trace route from the ASA.

traceroute 4.2.2.2

-KS

woodjl1650 · ‎09-10-2011

Still nothing, I believe my problem is that I can't configure the router. I can only plug into the WAN port. And for some reason, the router doesn't get anything from the ASA.

Kureli Sankar · ‎09-10-2011

Internet--Router(.1)--- (68.108.10.253)--ASA--192.168.1.99---(.1)Belkin Router---Inside Hosts

Which router are you taking about? The one on the outside or the Belkin on the inside?

1. ASA can ping 68.108.10.1?

2. ASA can ping 192.168.1.1?

3. inside hosts can ping 192.168.1.99?

4. inside hosts can ping 68.108.10.1?

Who manages the outside router? Reach out to them and ask them to do some testing?

-KS